Cybersecurity

Marvin Ammori is a leading First Amendment lawyer and Internet policy expert. He was instrumental to the adoption of network neutrality rules in the US and abroad–having been perhaps the nation’s leading legal advocate advancing network neutrality–and also instrumental to the defeat of the SOPA and PIPA copyright/censorship bills.

Kristen Eichensehr is Assistant Professor of Law at UCLA School of Law. Her primary research and teaching interests center on international, foreign relations, and national security law issues, including cybersecurity.

Marshall Erwin is currently a senior staff analyst at Mozilla, where he focuses on data security, privacy, and surveillance. He is an expert in intelligence policy and a co-founder of OvertAction.org, a web platform for current and former intelligence professionals to provide analysis and debate on pressing national security challenges.

Henry Farrell is associate professor of political science and international affairs at George Washington University. He has previously been a fellow at the Woodrow Wilson Center for International Scholars, assistant professor at George Washington University and the University of Toronto, and a senior research fellow at the Max-Planck Project Group in Bonn, Germany. He works on a variety of topics, including trust, the politics of the Internet and international and comparative political economy.

Pages

Today, 21 cyberlaw and/or cybersecurity professors and researchers joined a letter calling for the Senate to reject the Cybersecurity Information Sharing Act ("CISA"). Endorsing the concerns raised in an April 2015 technologists' letter, the signatories identify the fundamental problem with CISA, namely, that it will achieve little to address the real cybersecurity challenges facing US industry.

It’s the season for “cyberthreat” information sharing proposals. There’s the White House plan, announced in January. There’s the Cybersecurity Information Sharing Act, or CISA, which passed out of the Senate Intelligence Committee on a 14-1 vote earlier this month.

Tomorrow, the U.S. House Judiciary Committee will hold a hearing on reforming the Computer Fraud and Abuse Act (CFAA). Before you start thinking, "it's about time", note that the witness list includes someone from the Department of Justice, the Federal Bureau of Investigation and the Business Software Alliance. The only reform proponent is former computer crime prosecutor Orin Kerr, now a Professor at George Washington University Law School.

The FBI has been arguing for years that the approach of Apple and other companies that strongly encrypt phones is a big problem for law enforcement, which cannot get access to information it needs to catch criminals. Some days ago, these claims led to a big controversy when it turned out the FBI had been accidentally exaggerating the number of phones it couldn’t open for years.

The Trump Administration this week formally accused the North Korean government of responsibility for the WannaCry ransomware attacks that hobbled hundreds of thousands of computers “in more than 150 countries” in May 2017.

Rep. Tom Graves (R-GA) and Rep. Kyrsten Sinema (D-AZ) introduced the Active Cyber Defense Certainty Act (H.R. 4036) in the House of Representatives on Oct. 13. The bill would amend the Computer Fraud and Abuse Act (CFAA)—the main federal statute that governs computer hacking—effectively to allow victims of certain cyber intrusions to take defensive measures that would otherwise violate the CFAA’s prohibitions on unauthorized access to computers.

Pages

Arguing that a defendant’s conviction for website hacking should be overturned because legitimate, highly valuable security and privacy research commonly employs techniques that are essentially identical to what the defendant did and that such independent research is of great value to academics, government regulators and the public even when – often especially when — conducted without a website owner’s permission.

"“There's nothing preventing an Apple employee from doing the exact same thing in a world where there's mandatory key escrow for exceptional access to smartphones,” said Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society. “Once the deed is done by an insider, then what was supposed to be a tool only for the ‘good guys’ is out there for the ‘bad guys’ as well.”"

"Working out those details is important, because many companies that collect personal data continue making "fundamental mistakes" in how they protect it, said Richard Forno, assistant director of the UMBC Center for Cybersecurity.

"In 2018, we should not be seeing these types of incidents and breaches," he said.

"“The federal government is the largest consumer of commercial wireless services and is susceptible to the same cybersecurity risks in our communications infrastructure,” Jonathan Mayer, a computer science professor at Princeton University, told the panel.

“A foreign intelligence service could easily use cell-site simulators to collect highly confidential information about government operations, deliberations and personnel movements,” Mayer added."

"University of Maryland, Baltimore County's cybersecurity graduate program director Richard Forno echoed Williams' analysis and said even a simple Google search could cull results that warned about our dire state of federal cybersecurity decades earlier.

"Government reports like this just literally say the same thing year after year: 'here are a couple of recommendations on how we can fix things' and a year goes by, and it says the exact same thing," Forno said.

"“It would be hard to prove that records haven’t been made,” said Scott Shackelford, a cybersecurity expert and associate professor of business law and ethics at Indiana University’s Kelley School of Business.

SamSam works by gaining access to a computer system and encrypting all of the data so that it is useless unless a ransom is paid. Once that happens — generally with Bitcoin or some other type of cryptocurrency — thieves provide a key to unlock the data.

"Riana Pfefferkorn, cryptography fellow at Stanford Law School's Center for Internet and Society, said the enforcement action could "light a fire" under other public companies to disclose their own cybersecurity incidents, though the case may not help determine where to set the bar for reporting.

"Even Hutchins’s defenders say if he’s guilty some punishment is in order, but his prosecution also sends a mixed message. Hutchins had been a model of public-private cooperation at a time when the government was having difficulty recruiting cybersecurity talent. (James Comey irritated the community in 2014 when he said the FBI struggled to hire people because “some of those kids want to smoke weed on the way to the interview.”) Some security researchers said they would stop sharing information with the government in protest.

"The level of computer security is such that it would be “kind of shocking” if at least some government data weren’t accessible to hackers, said Brian Nussbaum, a former intelligence analyst and a professor at SUNY Albany."

"Business law professor and author of the study Scott Shackelford says it would be similar to the National Transportation Safety Board investigation model. He says that model is applicable to cybersecurity.

“It’s not only formal investigators that dig into the details of why an airplane happened to crash, but they look into bigger issues like culture at manufacturers, at airlines,” says Shackelford. “We thought a similar approach would be really helpful for cybersecurity because typically, it’s not just one thing that’s at fault in big data breaches.”"

"Kristen Eichensehr, an assistant professor at UCLA School of Law who specializes in cybersecurity issues, said the Europeans begin any privacy discussion with a presumption that individuals have a right to control their personal information.

“We don’t have a similar right in this country,” she observed.

For that reason, Eichensehr said, “it’s hard to imagine much of what Europe is doing being implemented in the U.S.”"

Pages

Join Mozilla and Stanford Center for Internet and Society for the third installment in a series of conversations about government hacking. Information from our first two events is available online: discussing the vulnerabilities disclosure process and recent changes to Federal Rule of Criminal Procedure 41.

Sextortion—defined as blackmail (often by the threat of releasing sexually explicit images of the victim) carried out over a computer network, which forces victims to engage in some form of sexual activity online—is a new term for a new crime. The remote coercion of sex is a crime that was impossible until recently, but with the expansion of the Internet and proliferation of webcams, Sextortion is a growing form of exploitation. This remarkably understudied crime has affected thousands of people, almost entirely women and children.

Have you ever borrowed a smartphone without asking? Modified a URL? Scraped a website? Called an undocumented API? Congratulations: you might have violated federal law! A 1986 statute, the Computer Fraud and Abuse Act (CFAA), provides both civil and criminal remedies for mere "unauthorized" access to a computer.

On January 19, 2012, Kim DotCom was arrested in a dramatic raid after being indicted on federal criminal charges that he knew that his website, MegaUpload, was a haven of piracy and counterfeiting. In the days that followed, the media commented on the presumed guilt of MegaUpload. In this debate, Jim argues that the law and evidence clearly point to MegaUpload's officers being found guilty, while Jennifer will argue that the MegaUpload case is built on unprecedented and wrongheaded interpretations of copyright law, and thus the principles should be found not guilty.

Prompted by the Google Street View WiFi sniffing scandal, the question of whether and how the law regulates interception of unencrypted wireless communications has become a hot topic in the courts, in the halls of the FCC, on Capitol Hill, and in the security community. Are open WiFi communications protected by federal wiretap law, unprotected, or some strange mix of the two? (Surprise: it may be the last one, so you'll want to come learn the line between what's probably illegal sniffing and what's probably not.)

Evgeny Morozov and Andrew McLaughlin will debate the sincerity, utility and repercussions of America's commitment to a free Internet. They will discuss the desireability of network neutrality and network regulation in the context of US foreign policy, the ways to balance user privacy with the growing needs of law enforcement agencies; and the emerging threats to freedom of expression that are inherent in the technical design as well as the business imperatives of today's Web.

Andrew is a lawyer (Harvard '94) who has worked as Deputy Chief Technology Officer of the U.S. in the Obama White House, Director of Global Public Policy at Google, Vice President and Chief Policy Officer at ICANN, Senior Fellow at the Berkman Center, and as a member of the litigation team that successfully challenged the Communications Decency Act before the Supreme Court in 1997.Please RSVP for this free event.

Pages

In this episode, Kristen Eichensehr discusses the challenge of extraterritoriality in cyber, the concept of "digital Switzerlands," companies acting increasingly like nation-states and running their own foreign policies, and laws and regulations that can create incentives to give up on cybersecurity.

"That inability to address growing cyber risk is part of what makes state and local governments easy targets for hackers, says Brian Nussbaum, a professor focusing on cybersecurity at the State University of New York at Albany. At the federal level, defense and intelligence agencies have large security staffs with deep expertise that other federal agencies often rely on. “States really don’t have that deep well of technical assistance to draw upon,” says Nussbaum."

"FBI Director James Comey has said that voter-registration sites in at least a dozen states — including Arizona — were targeted by hackers.

Department of Homeland Security Secretary Jeh Johnson has broached the idea of increasing the protection for the nation’s voting systems. They could potentially be put under the umbrella of critical infrastructure, which currently includes the electrical grid and the banking system, among other things.

Last week Yahoo announced that 500 million accounts had been hacked – consumer names, email addresses, phone messages, passwords and birth dates were stolen. It is one of the biggest security breaches in history. We’re been seeing a lot more cyber attacks on companies, individuals and the government in recent years. So who is behind them and what can consumers do to protect ourselves online?

Emails of the Democratic National Committee were leaked this summer. Last year, a Chinese hack of the US Office of Personnel Management exposed the personal data of millions of Americans. So, how safe is the ballot box? Cybersecurity expert Dr. Richard Forno, Assistant Director of the UMBC Center for Cybersecurity, walks us through the potential vulnerabilities of voting systems in America.

Many of America’s top cybersecurity executives are gathering in Las Vegas this week for an annual conference known as Black Hat 2016. Organizers say hacking remains a major concern and that many of the country’s digital infrastructure is vulnerable, as demonstrated by a series of recent high-profile attacks on consumer companies and political organizations. So what can be done to keep information safe? On this week’s HashtagVOA, we ask a few experts for answers.

Last week, health insurance giant Anthem revealed that the personal information of as many as 80 million customers was stolen by hackers. This news came just days before President Obama announced the creation of a new agency to analyze and counter cyber threats. In this hour, we look at Obama’s cybersecurity agenda, and the cyber-security challenges that face users in the coming year.